RE: IE is just as safe as FireFox

["Todd Towles" <toddtowles () brookshires com>]

I agree with you, maybe good coding was the wrong word. But you got the
idea.

IE isn't part of the OS in Microsoft mind...but it is in the customers.
You get a new computer and you hear on the TV, not to use IE...because
it has holes. A good customer does the right thing and gets another
browser and uses that.  Not knowing that Outlook and IE problem can hurt
them anyways. Microsoft doesn't show separate to the customer - why?
Because they people believe want stuff all connected together, which is
true. Most of the customers don't see what is happening and it takes
professional like us to get the ball rolling...to protect them and us.

Microsoft made a bold step by changing security in SP2. It was going to
break stuff...and it was stupid to see people yell about that. They told
us it would, we knew it would. I am glad to see they are starting to
take steps toward a better systems, but Microsoft has room for
improvement to say the least.

> -----Original Message-----
> From: full-disclosure-admin () lists netsys com 
> [mailto:full-disclosure-admin () lists netsys com] On Behalf Of joe
> Sent: Monday, November 15, 2004 1:26 PM
> To: full-disclosure () lists netsys com
> Subject: RE: [Full-disclosure] IE is just as safe as FireFox
>
> > Everytime a Firefox exploit comes out..there is already a fix...
> > is that magic? No..it is good coding...
>
> What? 
>
> Having a quick fix out is due to low complexity of issue and 
> assisted by a lack of dependencies so you have reduced time 
> for patching and testing. It has nothing to do with code 
> quality. I have seen some extremely good code that hit an 
> issue that took long periods of time to correct due to the 
> complexity of the issue with all of the requirements that had 
> to be stacked up to cause an issue. I have also seen crappy 
> code that could be pretty quickly patched up for various 
> things and often contributed to how crappy it was. Again, 
> code quality and time to patch has nothing to do with each 
> other except if you had great code you wouldn't even have to 
> worry about exploits and patching. Great code, IMO, requires 
> 100% assertions of all incoming data and NO ONE does that. 
> Programmers assume that incoming data will fit in a specific 
> range and go with it. At some point we as developers (some 
> earlier than others) learned that we should at least be 
> checking for data length though that still isn't the full 
> assertion that should be done on the quality and state of the 
> data. One reason for not doing a full assertion is for future 
> flexibility, don't check the data too close so you don't have 
> to recompile for a new use. Mostly it is done because coders 
> just don't think someone will do something so off the wall or 
> are too lazy or too pressed for time to care.
>
>
> Saying that, I agree, as I have stated many times on this 
> list, that IE needs to be backed down. If there has to be 
> some piece of it that absolutely has to be in the OS it 
> should be a very basic very small very simple hello world 
> basic HTML only rendering capability - you get fonts and 
> anchors and not much more - it isn't even possible to execute 
> anything even if the user agrees with a signature in blood. 
> The code being tiny and truly a part of the OS in that it 
> isn't possible to upgrade it to IE version x. It is updated 
> with OS updates. Code so small and tight and well controlled 
> and understood and practically memorized by the developers 
> that MS could put a monetary guarantee behind the ability to 
> exploit it. Say HTTP-EQUIV gets $10 million if he finds a way 
> to crack it and run remote exploit code with a realistic POC.  
>
> If someone wants a full function IE, they load that 
> separately an dit runs in a sandbox as guest. Personally I 
> never agreed that IE was truly part of the OS. There are some 
> artificial dependencies built in for some of the display 
> stuff like help, etc but NTFS and threading and all of that 
> works just fine without IE. 
>
> If pulling IE out of the Explorer shell is too difficult. 
> Then I for one would be fully behind a new secure type shell 
> replacement for the Explorer Shell. We had ProgMan Shell for 
> several years then we got the Explorer Shell. Maybe it is 
> time to get a new shell, at least for servers. 
>
> I was recently in Redmond and the message I kept feeding back 
> over and over again was that we needed a way to not have to 
> load IE onto machines. I am looking to moving forward ideas. 
> If they give me the ability, I am not going to whine why I 
> can't do the same on Win9x or 2K or even XP. So many people 
> bitch on this list about MS supporting legacy stuff and then 
> they or someone else starts bitching that MS isn't back 
> porting the changes. Pick one or the other but keep in mind 
> if things have to keep getting back ported, resources for 
> that aren't moving us forward. I myself, would rather move forward. 
>
>   joe
>
>
>
> -----Original Message-----
> From: full-disclosure-admin () lists netsys com
> [mailto:full-disclosure-admin () lists netsys com] On Behalf Of 
> Todd Towles
> Sent: Friday, November 12, 2004 10:10 AM
> To: Rafel Ivgi, The-Insider; 
> full-disclosure () lists netsys com; Colin.Scott () csplc com
> Subject: RE: [Full-disclosure] IE is just as safe as FireFox
>
> <SNIP>
>  Everytime a Firefox exploit comes out..there is already a 
> fix...is that magic? No..it is good coding... 
> <SNIP>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html